727e813c77
Not everything is fixed yet. However, we fixed: - 'const' -> 'fresh' - Removed lines specifying 'runs' - Removed some specifications of compromised Eve and its long-term keys being compromised.
73 lines
1.5 KiB
C++
73 lines
1.5 KiB
C++
/*
|
|
* This is a model of a version of the TLS protocol as modeled by
|
|
* He,Sundararajan,Datta,Derek and Mitchell in the paper: "A modular
|
|
* correctness proof of IEEE 802.11i and TLS".
|
|
*
|
|
* This is the fixed version, with quite some differences:
|
|
*
|
|
* 1) new definition of handShake1
|
|
* 2) changed order in msg3
|
|
*
|
|
* (These are the suggestions made by Cas to Anupam Datta)
|
|
*/
|
|
#define CERT(a) { a,pk(a) }sk(Terence)
|
|
#define msg1 X,Nx,pa
|
|
#define msg2 Ny,pb,CERT(Y)
|
|
#define handShake1 msg1,msg2,{msecret}pk(Y)
|
|
#define msg3 CERT(X),{msecret}pk(Y),{handShake1}sk(X),hash(msecret,handShake1,clientstring)
|
|
#define handShake2 msg1,msg2,msg3
|
|
#define msg4 hash(msecret,handShake2,serverstring)
|
|
|
|
|
|
/* below is just Scyther input and no further macro definitions */
|
|
|
|
usertype Params, String;
|
|
|
|
const pk,hash: Function;
|
|
secret sk,unhash: Function;
|
|
inversekeys(pk,sk);
|
|
inversekeys(hash,unhash);
|
|
|
|
const clientstring,serverstring: String;
|
|
|
|
const Alice, Bob, Eve: Agent;
|
|
const Terence: Agent;
|
|
|
|
protocol tls-HSDDM05(X,Y)
|
|
{
|
|
role X
|
|
{
|
|
fresh Nx: Nonce;
|
|
fresh msecret: Nonce;
|
|
fresh pa: Params;
|
|
var Ny: Nonce;
|
|
var pb: Params;
|
|
|
|
send_1( X,Y, msg1 );
|
|
read_2( Y,X, msg2 );
|
|
send_3( X,Y, msg3 );
|
|
read_4( Y,X, msg4 );
|
|
|
|
claim_X1( X, Secret, msecret );
|
|
}
|
|
|
|
role Y
|
|
{
|
|
var Nx: Nonce;
|
|
var msecret: Nonce;
|
|
var pa: Params;
|
|
fresh Ny: Nonce;
|
|
fresh pb: Params;
|
|
|
|
read_1( X,Y, msg1 );
|
|
send_2( Y,X, msg2 );
|
|
read_3( X,Y, msg3 );
|
|
send_4( Y,X, msg4 );
|
|
|
|
claim_Y1( Y, Secret, msecret );
|
|
}
|
|
}
|
|
|
|
|
|
|